Modern Techniques to Deobfuscate UEFI/BIOS Malware and Virtualized Packers

Modern advanced malware samples are used to infect countries and they make part of the current cyber war, cyber espionage and financial attacks. Furthermore, critical actors, who write these malicious code try to make the static and dynamic analysis really hard by heavily virtualizing and obfuscating their code using techniques such as CFG, virtualization, call stack manipulation, dead code, opaque predicate and so on. To manage these complex scenarios above, we are able to use tools such as METASM, MIASM and several emulation techniques to make the code simpler. The goal is to reduce the code (most of time by using symbolic analysis), in order to allow us a better understanding of the threat. This presentation aims to show concepts and a practical approach on how to handle obsfuscation reverse engineering challenges and threats involving BIOS/UEFI malware.https://conference.hitb.org/hitbsecconf2019ams/materials/D1T1%20-%20Modern%20Techniques%20to%20Deobfuscate%20UEFI:BIOS%20Malware%20-%20Alexandre%20Borges.pdf